In Your Face

In Your Face
Thought provoking opinions on topical issues.

Friday, December 20, 2002

The Added Value of Internal Audit, a Brief Overview

There is a joke which sums up some peoples’ attitudes to internal audit; it goes as follows:

There is a pint glass, it contains half a pint of milk.

The optimistic manager says that the glass is half full.

The pessimistic manager says that the glass is half empty.

The internal auditor says that the milk is sour
.”

Well I suppose, having run international internal audit departments in Philips and De Beers, I could be accused of being prejudiced. However, I firmly believe that a well run, independent and pro active internal audit department can add significant value to an organisation and its connected parties (such as shareholders).

I would point out that had the internal audit departments in both Enron and WorldCom operated in a professional and independent manner; then the gross mismanagement and corruption in these two companies would, in my opinion, not have occurred.

So how can an internal audit department add value? I will start with the basic, textbook, definition of the role of internal audit.

Internal audit provides independent objective assurance to the Board as to the adequacy of the business controls, and the effectiveness of the risk management and risk identification process.

In other words, the internal audit department should tell the Board when the company is being poorly managed, where risks are not being identified or mitigated and when the business objectives are not likely to be met.

In addition to this very wide ranging remit, a well run internal audit department adds value in the following ways:

 It acts as a training ground for future line managers, by exposing fast track members of the department to a variety of situations, activities and functions within the organisation.

 It provides a “one stop shop” for best practice advice.

 It provides an independent, objective opinion as to the quality of the business controls.

 It stimulates risk awareness throughout the organisation.

 It is a source of qualified, experienced talent that can aid management in business improvement programmes.

 It provides specialist professional independent opinions on a variety of situations; such as due diligence exercises.

 It reports on fraudulent activity within the organisation, with a view to understanding how it happened and how to prevent it occurring again.

 It ensures that the company wide initiatives, such as a code of conduct, are being adhered to.

I will expand on the subjects of business controls, risks (click here for risk article) and what constitutes a well run audit department (click here for the latter) in forthcoming articles.

Wednesday, December 18, 2002

Characteristics of a Well Managed Organisation

My experiences whilst working with KPMG, Philips and De Beers have given me a detailed understanding as to what constitutes a well managed organisation. I have put together my personal “top ten” list of the characteristics of a well managed organisation.

1. The organisation has a mission statement which is clearly communicated, and understood, by all members of the organisation. This will form the basis of the bsuiness plan.

2. The organisational structure is clearly defined, understood and appropriate for the activities carried out. Specifically, with regard to human reporting lines, there should be no dual/dotted reporting lines; these clutter up the clarity of the decision making process and cause conflict within the organisation. With regard to the actual organisational structure, this should be as “clean” and transparent as possible; complex off balance sheet arrangements at best confuse, and worst are deliberate attempts to obfuscate reality from interested parties (such as the Internal Revenue Service). In respect of the latter, I draw your attention to Enron.

3. The management of the organisation should clearly delegate responsibility for activities to those most appropriately qualified to perform them.

4. Targets and key performance indicators should be appropriate to the organisation’s mission, and be clearly communicated and understood. They should be stretching, but achievable; above all they should be measurable.

5. Management information must be timely, accurate, relevant and reliable. What gets measured gets done!

6. Management should take appropriate, timely, corrective actions in the event that targets are not being achieved.

7. There must be appropriate segregation of duties to ensure that one person’s ego does not take the organisation down the path to oblivion; specifically the roles of President, CEO and CFO must be separated.

8. There should be an independent supervisory board of appropriately qualified independent non executive directors. In my view, it is not merely enough for these non executives to posses titles and a string of directorships. They must be able to demonstrate that they deserve to hold office, and be proactive and “muscular” in their role; the non executives of, for example, Marconi and Cable and Wireless singularly failed in their roles.

9. There should be an independent, well qualified, proactive internal audit department which reports to an independent audit committee.

10. The organisation should have a code of conduct which is in the public arena and which is seen to be, and used as, a living document. See my article on Codes of Conduct (click here to read it) for more details.

Now, take a look at the organisation that you are dealing with/working for; does it posses all of the above? If not; then you should consider moving on, and dealing with/working for another better run organisation.

Tuesday, December 17, 2002

Ten Types of Fraud

In my roles as Head of Internal Audit and International Forensic Co-ordinator, in both Philips and De Beers, I have had many years of experience investigating frauds. Based on this experience I have put together my personal “top ten” list of common types of fraud. I recommend that you also read Ten Reasons Frauds Occur (click here to read it).

1. Falsification of expense claims – an old favourite with both senior and junior staff. Common “ruses” include; inflating mileage claims, entertaining friends and relatives at the company’s expense and claiming for expenses never incurred by stating that “the receipt must have been mislaid”.

2. Stealing money from the company bank account – the perpetrator having got away with this once, will usually try it again and again; until it is discovered. I personally reviewed a case where the perpetrator had been routinely helping himself to company cash for some twenty years.

3. Manipulating sales figures so as to reach target and achieve bonus – a simple version of this involves booking sales in one month (usually a quarter end) then crediting them back the next. Naturally unless the perpetrator keeps this “teeming and lading” up, the overstatement in one month will be shown as a shortfall in the next. Another, well worn, version of this involves booking orders as sales.

4. Falsifying supplier invoices – this is a little more daring, one case I have on record involved a senior manager who had some substantial renovation work carried out on his house. He then arranged for the invoices from the contractor to be sent to the company, posing as costs for work carried out on company premises.

5. Theft of stock – a time honoured way to make a “fast buck”. The perpetrator will over a period of time abscond with a number of items from the warehouse, and resell these to friends, family and members of the public. So long as the stock losses are within tolerance, then it is possible for this “scam” to remain undetected for a significant period of time.

6. Transactions that are not “arms length” – when a well run company asks for tenders for a service contract with a third party they usually obtain at least three closed quotes. The best value quote should then be selected. When the system does not run effectively, there is an opportunity for friends and relatives of the purchasing department to send in quotes that are accepted; bypassing the quotes from reputable suppliers. “Arms length” also applies to sales transactions where the purchaser bribes the salesman in return for a favourable contract.

7. Tax evasion – fraud on the corporate level. Excessively complex organisational structures are created, designed to obfuscate the revenue streams; and so hide reality from third parties, such as the Internal Revenue Service. Enron, with its complex off balance sheet structure and transactions, is a textbook example of this.

8. Fictitious invoicing – where there are poor accounting controls and insufficient segregation of duties in the F&A department the fraudster, if suitably positioned, can arrange for invoices (for services never delivered) from connected parties to be passed for payment.

9. Acquisition of company property at less than market value – this requires the collusion of at least two people (usually quite senior). Company property, such as fixed assets, offered for sale is “sold” to one of the individuals at a bargain price approved by the other. The property is then resold at market value, and the profit split.

10. Theft of raw materials – manufacturers should measure the quantities and costs of the raw materials used in the manufacturing process. Some processes use expensive materials, such as gold. When the measurement system has been compromised, or management do not investigate adverse yield variances, the fraudster has the opportunity to steal the raw material and sell it to third parties.

As I have noted this is my personal top ten, believe me there are many other types of frauds that have been, and are being, perpetrated.

Monday, December 16, 2002

Ten Reasons Frauds Occur

In my roles as Head of Internal Audit and International Forensic Co-ordinator, in both Philips and De Beers, I have had many years of experience investigating frauds. Based on this experience I have put together my personal “top ten” list of reasons why frauds occur.

1. Greed - good old fashioned human nature intervenes when an individual, or group of individuals, sees a chance to make “a fast buck”. A good example being those cases where people “adjust” their expense claims upwards.

2. Lack of transparency - complex financial transactions that are difficult to understand are an ideal method to hide a fraud. The Barings fraud was perpetrated by use of an accounting “dump account” that no one understood.

3. Poor management information – where a company’s management information system does not produce results that are timely, accurate, sufficiently detailed and relevant; the warning signals of a fraud, such as ongoing theft from the bank account, can be obscured.

4. Excessively generous performance bonus payments – the more generous the bonus, when coupled to a demanding target; the more temptation there is to manipulate results, such as year end sales figures, to reach that target.

5. Non independent internal audit department – where an organisation’s internal audit department is not independent, eg the where it does not report to a truly independent audit committee but to the Finance Director, the more likely that when there are signals that a fraud is occurring the more likely they will be ignored. It is indeed interesting to note that Cynthia Cooper (Head of Internal Audit at WorldCom) had to bypass her boss (the CFO) and go directly to the audit committee to report the discovery of the capital expenditure fraud.

6. Lack of clear moral direction from senior management – leadership comes from the top. Where the senior management indulge themselves in “semi corrupt” behaviour, eg adjusting their expense claims upwards, others will follow adopting the well worn mantra “everyone’s at it”.

7. Excessively complex organisational structure - designed to obfuscate the revenue streams; and so hide reality from third parties, such as the Internal Revenue Service. Enron, with its complex off balance sheet structure and transactions, is a textbook example of this.

8. Poor accounting controls– where the accounting controls, such as a monthly reconciliation of the bank account, are lapse the signals that a fraud has occurred will be missed.

9. Arrogance – some people believe that they are better than “the system”, and that they can get away anything. The late Robert Maxwell (of the Mirror Group) plundered his company pension scheme, arrogantly assuming that since he was chairman of the company he could get away with it; he almost did!

10. Complacency – I have met many a manager who has an almost childlike faith, based in part on the “old boy” network, in the probity of their colleagues; believing that fraud “is not the sort of thing that could happen here”. Others will, and do, take advantage of that trust.

My simple advice is, if you think that a fraud may be happening then fear the worst; because it probably is.

Wednesday, December 04, 2002

An Idiot's Guide To Assessing Organisational Performance

The lamentable failures with the world of commerce over the past few years, eg Enron, Marconi and WorldCom, lead me to conclude that effective corporate governance is merely a phrase to be trotted out to the media; rather than, as it should be, a way of life in some organisations. Additionally, the fundamentals of what constitutes good corporate governance and effective management appear to have been overlooked by individuals (such as investors and analysts) and organisations (such auditors); when they are reviewing an organisation’s performance.

Therefore, based on many years of practical experience around the world, in the spirit of sharing best practice (teaching my grandmother to suck eggs maybe?); I have put together a basic checklist of questions that one should ask, and receive a satisfactory response to, when making a judgement as to the effectiveness of an organisation’s management. This is not designed to be a fully comprehensive, “covers all situations”, questionnaire.

However, the list should cover the key areas relevant to most organisations; be they companies, charities, political/military/scientific/educational bodies. The checklist should be tailored to fit the specific circumstances; naturally, depending on the answers received, more probing questions can/should be asked.

In my opinion, this checklist would be of benefit to a variety of individuals and organisations including, but not limited to:

 Individual investors

 Analysts

 Internal/external audit

 Non Governmental Organisations

 Politicians

 Audit Committees

 Employees

In fact any stakeholder or interested party.

I have divided it into a number of sections, for ease of use.

Finger on the Pulse

1 What are the objectives of the organisation?

2 Are these objectives translated into realistic, achievable plans with timeframes and measurable milestones?

3 Are the objectives and plans communicated and understood by all?

4 What are the risks and opportunities that will affect the business objectives?

5 What is Management doing to address both the risks and opportunities?

6 Are there/have there been any major EDP changes planned? If so what are they, and what is the expected cost, benefit, timeframe for installation and payback period?

7 Have there been any frauds?

8 Details of any litigation being taken out either by or against the organisation?

9 Obtain the latest organisation chart, both senior personnel and organisational. Are there clear reporting lines?

10 Have there been any major investments/disinvestments previously or planned?

11 Ensure that there is an audit committee, and that it is independent of the Board.

12 Does the internal audit function report to the audit committee? If not, why not?

13 Review third party and (where applicable) internal audit reports.

Management Information

1 Review the latest results and compare to budget. Ensure that management receive regular (at least monthly) summaries of results (what gets measured gets done!).

2 Are the relevant key performance indicators on target eg RONA, Debtor days (DSO), cash flow?

4 Can management explain clearly, any material deviance from budget?

5 Are there adequate corrective actions in place to arrest negative deviations from budget?

6 Discuss the results with the appropriate Manager.

Have regard to, for example :

- Products with low sales against budget.

- Negative margins

Ensure that explanations for any of the above are adequate and that there are suitable corrective action plans in place to address these issues. Where the explanation seems confusing, be on your guard; either the manager doesn’t understand it or it is deliberate obfuscation.

7 Are there any areas where costs are significantly above budget? Why?

8 What are the corrective action plans to address these?

9 Review the debtor and creditor days figures. If these are high, what is Management doing to improve the situation?

10 Review the levels of stocks and enquire into reasons for levels that are higher than budget.

11 Obtain the latest forecast for the year and enquire into any significant variances between that and the budget. Also review the adequacy of the corrective actions.

Risk Management

1 Have management performed a risk assessment? If not why not?

2 Did the risk assessment highlight control gaps? If so, is there a corrective action plan?

3 Where there is a log of corrective actions :

- Do the corrective actions have a deadline and person responsible for completing the action?

- Are the deadlines being met? If not why not?

5 Is there a team responsible for monitoring progress of the action plan? If not why not? Is the process alive?

Financial Controls

1 Review the balance sheet for unusual dump accounts and other unusual items.

2 Select a sample of accounts eg accruals, provisions etc and ensure that they are adequately supported by documentary evidence/working papers.

3 Ensure that main sub ledgers are reconciled to the General Ledger.

4 Check a sample of debtors to ensure that credit limits are not exceeded.

5 Review adequacy/necessity for any provisions held.

6 Is there adequate data relating to currency exposure? How does the unit manage its exposure?

7 Are the main accounting functions/duties adequately segregated?

8 Does the CFO regularly monitor/review the controls and General Ledger? Is this evidenced, eg by use of a checklist?

9 Does the General Ledger agree to the monthly information submitted to the head office for consolidation?

11 Ensure that there are written procedures with regard to expense claims. Select a sample of expense claims and ensure that they follow the rules, are properly authorised and supported by documentary evidence, eg invoices. Ensure that there is no self authorisation of either expense claims or travel requisitions.

Code of Conduct

1 Does the organisation have a code of conduct? If so, has it been distributed to all members of staff?

2 Do all new employment contracts contain a reference to compliance?

3 Have there been any occasions of non compliance? Details please.

4 Have the non compliance occasions been reported to a Compliance Officer? What action has been taken?

Sunday, December 01, 2002

Leadership and Change Management

I have, over the years, had the “privilege” to observe at close quarters a variety of management and leadership styles. I would like to summarise these styles by using the following example, set millennia ago in a world of cave dwelling tribes.

Imagine, if you will, three tribes each living in their own set of caves. They each have a leader; A, B and C. Leader A sees that the current situation does not present a long term viable solution to the future housing, and resource, requirements of the community. A sees that in the valley, beyond the neighbouring jungle, there are resources; timber, food, pasture etc that will support a living growing community. Leader A also identifies that to take the tribe from the cave to the valley will be difficult and that there are risks involved; such as navigating their way through the jungle and feeding the tribe. However, the primary obstacle to relocating the tribe is their own natural inertia, namely the human characteristic of resistance to change. The caves are comfortable and safe, the huts that the tribe would have to build to live in the valley are a new untested idea; and after all, why put yourself in danger by uprooting and crossing the jungle?

A’s primary task is present a coherent, well researched and practical plan to the tribe; that outlines the dangers of staying put, the risks of crossing the jungle and the opportunities and rewards of moving to the valley. Leader A does not worry about focus groups, who would tell him that the tribe are quite happy to stay where they are. A calls a meeting of the tribal elders; and presents the case for moving, together with an analysis of the risks involved. The elders give their support and then communicate the message to the rest of the tribe. A sets out the details of the plan, allocates responsibility to specific elders for specific tasks and sets key performance indicators (such as daily food consumption) ensuring that they are regularly measured and action taken to improve performance where necessary. The tribe sets off and, during the long journey, A ensures that the tribe are kept “up to speed” with progress by regularly briefing them; measurable achievements are rewarded (eg by giving an extra food ration) thereby ensuring that people are motivated. The tribe reaches the valley, and development work on the huts begins.

Leader B also sees the valley and appreciates the fact that the tribe should not “stay put”. However, B does not perform sufficiently detailed research (not being a person with an interest in details) and overlooks the risks of crossing the jungle. B presents a very upbeat plan to the tribe (over the heads of the elders), no mention is made of the potential risks; after all B has not identified them! The tribe happily accept the vision of a new utopia and set off. Trouble, as it is wont to do, makes an unwelcome appearance. The lack of research into what would actually be required on the journey has meant that insufficient food was taken by the tribe. Additionally, no measurement system was put into place to monitor daily consumption (the devil is in the detail!). The food runs out, the tribe becomes disillusioned and scared. The elders wash their hands of the affair, and point out they were not involved in the decision making process. B is isolated and unsupported, there being no back up plan B starts to make panic decisions which exacerbate the situation. The tribe become hopelessly lost in the jungle.

Leader C likes the security and warmth of public approval, whilst C feels that it would be better to move the elders point out that the tribe are very happy where they are. Since there is no immediate threat to the tribe, or the leader, the decision can be postponed for a number of years. C agrees, why rock the boat? The tribe therefore stays put.

Let us now return to the scene some years later. What has happened to the three tribes. The first tribe succeeded in crossing to the valley and building the huts. They are flourishing, animals are being reared, crops nurtured and the tribe’s birth rate increasing.

The second tribe disintegrated into disarray and confusion, elders made a series of destabilising leadership bids and members of the tribe formed rival factions. In fact the tribe no longer exists as an identifiable entity. Some members made it through the jungle and joined up with the first tribe, others died, whilst some still inhabit the jungle (reverting to pre cave-dwelling status, reverse evolution in fact).

The third tribe is stagnating, birth rates are falling, the local eco system cannot support the tribe and it looks likely that they face extinction.

What does this tell us about leadership and change management? In my opinion successful leadership and change management require the following conditions to be fulfilled:

1. An effective leader must have the vision to see what can be achieved by changing the status quo. This vision must be clearly communicated and understood; if you don’t know where you are going, or why, then chances are you won’t get there!

2. An effective leader must have sufficiently researched the facts and details in order to formulate a successful plan.

3. An effective leader must understand the risks, and ensure that they can be managed to an acceptable level.

4. The plan must obtain the “buy in” of the people expected to carry it out. This requires that the rewards, risks and hardships involved must be fully and openly explained.

5. Key performance indicators should be set. These should be measured, and corrective actions taken in the event that targets are not met.

6. A reward structure must be developed to ensure that people are motivated.

7. Ongoing communication to the people carrying out the plan, as to its progress against target, must be maintained.

8. An effective leader should see the task through to completion, and not leave halfway through.

Take a look around you, at your company's management and at your politicians. Which category do they fall into? Should your answer be B or C then get rid of them, or find a place where leader type A runs the show.